Temporarily changing passwords in AD by storing hash somewhere else

Skip to first unread message


Aug 20, 2006, 6:31:43 PM8/20/06
As a sysadmin, I'd like to be able to temporarily change a users
password, such that I can log onto their machine, make profile-specific
local changes, and then set it back to the original password.

I want to do this by copying the password hash from userPassword or
unicodePwd to somewhere like extensionAttribute1, changing the password
as usual, and then copying it back when finished. (I would ultimately
like it to be a menu option in the MMC, such as

I read on the web and the newsgroups that you can't read the password
hash via LDAP. There are utilities that will attempt to crack a
password DB - where are they getting their hashes from? Is there a
simple way around this?


Joe Kaplan (MVP - ADSI)

Aug 20, 2006, 10:04:46 PM8/20/06
There is no simple way around this. The cracking tools need access to the
physical DIT file and get the data that way.

Unfortunately, there is also no supported way to read or write the hashes,
so if you want to put the password back as it was, you'd need to get the
cleartext password by cracking it.

It might be better to just reset the user's password and force them to
change at next logon after you do the stuff you are doing. I realize this
goes against what you were trying to accomplish, but you are really fighting
the way AD wants to work. :)

Joe K.

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
<crai...@gmail.com> wrote in message

Joe Richards [MVP]

Aug 20, 2006, 11:42:27 PM8/20/06
You either need to attack the DIT directly as JoeK mentions or you have
to inject code into LSASS, neither is a good thing.

Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition

---O'Reilly Active Directory Third Edition now available---



Aug 23, 2006, 3:38:57 PM8/23/06

Is there another way to solve your problem? What changes are you trying
to make? Can they be made by changing settings for the user from an
admin account?

(I don't really like the idea of resetting passwords as that would lose
anything in the protected store and I suppose that it is a Good Thing
that no-one has come up with a way for an admin to easily change a
password and then set it back.)

Reply all
Reply to author
0 new messages